Malware Archaeologyhttps://www.malwarearchaeology.com/Mon, 10 Dec 2018 01:44:49 +0000en-USSite-Server v6.0.0-16687-16687 (http://www.squarespace.com)Malware Discovery and Analysis, Consulting, Training and resources to help <br/>in Malware ManagementTraining at BSides OK April 10th-11th 2018HackerHurricaneMon, 10 Dec 2018 01:59:17 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/EmaYRLTm4bc/training-at-bsides-ok-april-10th-11th-2018552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:5c0dc511cd8366f04fd5bb05<h1>Malware Discovery and Basic Analysis</h1><h2>When: April 10th-11th 2018</h2><h2>Where: BSides OK (Just southwest of Tulsa) </h2><ul data-rte-list="default"><li><h2><a href="https://www.bsidesok.com/" target="_blank">BSidesok.com</a></h2></li></ul><ul data-rte-list="default"><li><h3><a href="http://www.glenpoolconferencecenter.com/167/Glenpool-Conference-Center" target="_blank">Glenpool Conference Center</a>&nbsp;in Glenpool, OK</h3></li><li><h2>Hotel - Holiday Inn Express &amp; Suites Glenpool Tulsa South (next door)</h2></li></ul><p>Course Description:</p><p>Malware Discovery and Malware Analysis is an essential skill for today’s Information Security, Security Operations Center (SOC), and IT professionals. This course is perfect for people wanting to improve and get faster at Incident Response. </p><p>This course focuses on performing fast triage and how to discover if a system has malware, how to build a malware analysis lab and perform basic malware analysis quickly. The goal and objective to apply the results to Malware Management with actionable information to improve your Information Security program. Tools and techniques used and steps to analyze malware to determine if a system is clean or truly infected will be covered. The concept of Malware Management, Malware Discovery and Basic Malware Analysis will be discussed with exercises linking the three concepts together.</p><ul data-rte-list="default"><li><p><a href="https://www.malwarearchaeology.com/s/Malware-Discovery-and-Basic-Analysis-Training-2018.pdf" target="_blank">PDF of course description</a></p></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/EmaYRLTm4bc" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2018/12/9/training-at-bsides-ok-april-10th-11th-2018Training in Houston April 9th, 2018HackerHurricaneMon, 10 Dec 2018 01:44:11 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/iSykbkw_f2o/training-in-houston-april-9th-2018552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:5c0dc3d5f950b74959d4e27e<h1>MITRE ATT&amp;CK, What is it, how to use and apply it to your organization</h1><h2>When: April 9th, 2018 (1-Day)</h2><h2>Where: HouSecCon Marriott Marquis Houston</h2><ul data-rte-list="default"><li><h2><a href="http://houstonseccon.org/" target="_blank">http://houstonseccon.org/</a></h2></li></ul><h2>Course Description:</h2><p>Mitre has created the “Adversarial Tactics, Techniques &amp; Common Knowledge” (ATT&amp;CK) to help security practitioners understand the actual techniques and tactics that adversaries use against us. The advantage of ATT&amp;CK is it allows us to build a framework to understand how we might detect, respond, and prevent many of the tactics. Creating your own ATT&amp;CK framework provides for a way for us to map what technologies, procedures, playbooks, reports/queries, and alerts we have, and then map any gaps that we have that then can be addressed.</p><ul data-rte-list="default"><li><p><a href="https://www.malwarearchaeology.com/s/Mitre-ATTCK-What-you-need-to-know-to-start-using-it-Training-2018.pdf" target="_blank">PDF of course description</a></p></li></ul><p data-rte-preserve-empty="true"></p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/iSykbkw_f2o" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2018/12/9/training-in-houston-april-9th-2018Upcoming Training is San AntonioHackerHurricaneThu, 13 Sep 2018 11:49:58 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/I4bWRZ_Cue4/upcoming-training-is-san-antonio552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:5b9a4e8e0e2e72572884b09a<p>We are working with the Alamo ISSA Chapter to put on a 1-Day training. Staay tuned for details and follow us on twitter.</p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/I4bWRZ_Cue4" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2018/9/13/upcoming-training-is-san-antonioWindows Incident Response and Logging Training - Houston Weds Mar 22ndHackerHurricaneWed, 11 Jan 2017 12:54:30 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/eSeqkM_cPLA/windows-incident-response-and-logging-training-houston-weds-mar-22nd552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:587629031b631b0b57d454d8<p>As a part of HouSeCon at the Derek hotel we are putting on a 1 Day '<em><strong>Windows Incident Response and Logging</strong></em>' course to help attendees get up to speed on basic IR concepts and to answer 5 questions about Windows logging and auditing;</p><ol><li>Why is Windows audit logging so important</li><li>How do you check a Windows system for proper audit logging?</li><li>Where do you get the information on what to set for proper audit logging</li><li>How do you set the proper things for proper audit logging</li><li>What tools can be used to view the audit logs</li></ol><p>You can sign up here for the training:</p><ul><li><a target="_blank" href="https://www.eventbrite.com/e/houseccon-70-training-classes-march-22-tickets-27291401316?mc_eid=89c2a8b8b4&amp;mc_cid=7922a1a0c2"><strong>HouSecCon Windows IR and Logging Training</strong></a></li></ul><p>And sign up for the conference on Thursday here:</p><ul><li><strong><a target="_blank" href="http://houstonseccon.com/">HouSecCon Security Conference</a></strong></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/eSeqkM_cPLA" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2017/1/11/windows-incident-response-and-logging-training-houston-weds-mar-22ndMalware Discovery and Windows Incident Response & Logging Training - Austin Dec 12-14HackerHurricaneWed, 31 Aug 2016 11:56:42 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/RMf0ojqsZCU/malware-discovery-and-windows-incident-response-logging-training-austin-dec-12-14552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:57c6c4a06a4963606771fdcb<p><strong>Malware Archaeology</strong> in conjunction with <strong>Capitol of Texas ISSA</strong>&nbsp;chapter is hosting a Malware Discovery and Basic Analysis 2 day class and Windows Incident Response and Logging 1 day class at the Wingate in Round Rock.</p><p>Looking to up your malwarez hunting skillz and learn some basics about Windows Incident Response and become a Windows logging guru, come to this class and learn how the blue teamers do it and catch the bad guys.</p><p>More info on the Austin ISSA website and register here:</p><ul dir="ltr"><li><a target="_blank" href="http://malwarearchaeologyaus.eventbrite.com/">Registration for the training</a></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/RMf0ojqsZCU" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/8/31/malware-discovery-and-windows-incident-response-logging-training-austin-dec-12-14LOG-MD selected for Blackhat Arsenal based on the 'Windows Logging Cheat Sheet'HackerHurricaneMon, 01 Aug 2016 18:39:49 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/ONH1p4beVyg/log-md-selected-for-blackhat-arsenal-based-on-the-windows-logging-cheat-sheet552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:579f932a29687f489817b369<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/579f93e1893fc067e00a75fc/1470075881339/" data-image-dimensions="952x743" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="579f93e1893fc067e00a75fc" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/579f93e1893fc067e00a75fc/1470075881339/?format=1000w" />
<p>Come on by Blackhat Arsenal Thursday and check out <strong>LOG-MD</strong> in action with the latest version on how to check, set, and harvest malwarious activity on Windows systems.</p><h3 class="text-align-center"><strong>LOG-MD</strong><br />Michael Gough &amp; Brian Boettcher<br />Palm Foyer, Level 3, Station 8<br />16:00 - 17:50 </h3>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/579f93fd893fc067e00a7776/1470075975940/" data-image-dimensions="500x140" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="579f93fd893fc067e00a7776" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/579f93fd893fc067e00a7776/1470075975940/?format=1000w" />
<p>Based on the '<em><strong>Windows Logging Cheat Sheet</strong></em>' <strong>LOG-MD</strong> audits a Windows system for compliance to the 'Windows Logging Cheat Sheet', CIS, US-GCB and AU-ACSC standards, and if it fails creates a nice report to help you know what to set and then guides you where to set the items needed to pass the audit check. &nbsp;Once properly configured, <strong>LOG-MD</strong> then harvests security related log data to help you investigate a suspect system.</p><p>In addition <strong>LOG-MD</strong> can perform full file system hashing to create a baseline that can be used to compare against a suspect system. &nbsp;<strong>LOG-MD</strong> can also baseline the registry and compare a suspect system registry to a known good baseline to find altered settings and even look for LARGE Reg keys where malware is hiding payloads.</p><p>Come by Blackhat Arsenal and check us out and maybe get a goody too ;-)</p>
<a href="https://www.blackhat.com/us-16/arsenal.html#log-md" target="_blank">
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/579f95beb3db2bfa039a2fa4/1470076400497/" data-image-dimensions="147x23" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="579f95beb3db2bfa039a2fa4" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/579f95beb3db2bfa039a2fa4/1470076400497/?format=1000w" />
</a><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/ONH1p4beVyg" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/8/1/log-md-selected-for-blackhat-arsenal-based-on-the-windows-logging-cheat-sheetMalware Discovery Training coming to Austin, TX. Oct/NovHackerHurricaneThu, 28 Jul 2016 16:26:55 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/htlMqJhED9E/malware-discovery-training-coming-to-austin-tx-octnov552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:579a318fff7c505e3920715b<p>Austin - Oct/Nov 2016 - Sponsored by the ISSA Capitol of Texas chapter<br />Wingate Round Rock Conference Center</p><p>Oct 3rd thru 5th, 2016 (Tentative date, it may have to move to a later date)</p><ul dir="ltr"><li><h3><a target="_blank" href="http://AustinISSA.org">AustinISSA.org</a></h3></li></ul><p>More information and registration here:</p><ul dir="ltr"><li><a target="_blank" href="http://malwarearchaeologyaus.eventbrite.com">http://malwarearchaeologyaus.eventbrite.com</a></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/htlMqJhED9E" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/7/28/malware-discovery-training-coming-to-austin-tx-octnovMalware Discovery Training coming to Oklahoma City July 18-20HackerHurricaneThu, 09 Jun 2016 11:24:33 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/IaiphZPiL9k/malware-discovery-training-coming-to-oklahoma-city-july-18-20552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:575951d82fe131dea625f635<p><strong>Oklahoma City - Malware Discovery and Basic Malware Analysis</strong></p><p>George Epperly Business Building - Rose State College - 6420 Southeast 15th Street, Midwest City, OK 73110</p><ul><li><strong>July 18th-19th 2016 - Sponsored by the ISSA OKC chapter</strong></li></ul><p><strong>Oklahoma City - Windows Incident Response and Logging</strong></p><ul><li><strong>July 20th 2016 - Sponsored by the ISSA OKC chapter</strong></li><li><h3><strong><a target="_blank" href="http://www.issaokc.org/">ISSA-OKC website</a></strong></h3></li></ul><h3><strong>More information and register here:</strong></h3><ul><li><p><strong><a target="_blank" href="http://malwarearchaeologyokc.eventbrite.com/">http://malwarearchaeologyokc.eventbrite.com</a></strong></p></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/IaiphZPiL9k" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/6/9/malware-discovery-training-coming-to-oklahoma-city-july-18-20Links to some of our presentations now postedHackerHurricaneThu, 02 Jun 2016 03:34:47 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/3mvYmNMId7k/links-to-some-of-our-presentations-now-posted552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:574fa900d51cd4162ff1a898<h3>You can now get the links to some of our recent presentations here:</h3><ul><li><h3><a target="_blank" href="http://www.malwarearchaeology.com/presentations/"><strong>MalwareArchaeology.com/presentations</strong></a></h3></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/3mvYmNMId7k" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/6/1/links-to-some-of-our-presentations-now-postedGreat shout out from Paul and John on the Security Weekly Enterprise Podcast Episode 5 HackerHurricaneThu, 02 Jun 2016 01:36:56 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/RRjaD6z23Xg/great-shout-out-from-paul-and-john-on-the-security-weekly-enterprise-podcast-episode-5552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:574f8ba6e32140a5954e1886<p>Paul Asadoorian and John Strand discussing Log Management and SIEM mention the Cheat Sheets to help you know what to set and look for in your Windows logs. &nbsp;Thanks gents, I guess it is time to come on the PodCast and let you know what we are up to.</p><ul dir="ltr"><li><strong><a target="_blank" href="http://www.youtube.com/watch?v=aWCbJnT0-8c&amp;sns=em">Security Weekly Enterprise PodCast Episode 5</a></strong></li></ul><p>It is important to point out that you cannot start to gain the benefit of your Log Management solution or SIEM until you enable and configure your Windows log setting per the Cheat Sheets found here:</p><ul dir="ltr"><li><strong><a href="https://www.malwarearchaeology.com/cheat-sheets">Windows Logging Cheat Sheets</a></strong></li></ul><p>#Happy Hunting</p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/RRjaD6z23Xg" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/6/1/great-shout-out-from-paul-and-john-on-the-security-weekly-enterprise-podcast-episode-5Windows Top 10 Events to monitor from My Dell Enterprise Security Summit TalkHackerHurricaneSun, 08 May 2016 02:38:51 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/pS7QX9aUvi0/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talk552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:572ea39d2b8dde9e10b25c31<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/572ea6997da24fce826bfa6e/1462675099706/" data-image-dimensions="632x469" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="572ea6997da24fce826bfa6e" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/572ea6997da24fce826bfa6e/1462675099706/?format=1000w" />
<p>Here is the presentation from the talk I gave at the Dell Enterprise Security Summit in Atlanta April 21, 2016.</p><p><a target="_blank" href="http://www.slideshare.net/Hackerhurricane/the-top-10-windows-logs-event-ids-used-v10?qid=e0003812-fbf1-4733-a5c7-379b39b4deba&amp;v=&amp;b=&amp;from_search=7">SlideShare Presentation - WIndows Top 10 Events to monitor</a></p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/pS7QX9aUvi0" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/5/7/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talkMalware Discovery and Basic Malware Analysis Training - May 19th-20th in Houston, TX.HackerHurricaneTue, 03 May 2016 22:53:17 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/nBBL1UkYz2s/malware-discovery-and-basic-malware-analysis-training-may-19th-20th-in-houston-tx552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:57292b5045bf215317770c97<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/57292bc245bf215317771029/1462315974612/" data-image-dimensions="1798x910" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="57292bc245bf215317771029" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/57292bc245bf215317771029/1462315974612/?format=1000w" />
<p>We are hosting another <em><strong>Malware Discovery and Basic Analysis</strong></em> class in Houston at Rice University.</p><p><strong>When:&nbsp;May 19th-20th 2016</strong></p><p><strong>Sponsored by: the ISSA South Texas chapter.</strong></p><ul><li><a target="_blank" href="http://southtexasissa.org">southtexasissa.org</a></li></ul><h3><strong>Register here:</strong></h3><ul><li><p><a target="_blank" href="https://www.eventbrite.com/e/malware-discovery-and-basic-analysis-tickets-24495505717">https://www.eventbrite.com/e/malware-discovery-and-basic-analysis-tickets-24495505717</a></p></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/nBBL1UkYz2s" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/5/3/malware-discovery-and-basic-malware-analysis-training-may-19th-20th-in-houston-txFollow our updates via our RSS feedHackerHurricaneThu, 03 Mar 2016 12:25:38 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/ZRrSep5zLSs/follow-our-updates-via-our-rss-feed552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:56d82c4b01dbaea6947fc605<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56d82cd827d4bd2dbfc3e67f/1457007922490/" data-image-dimensions="250x125" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="56d82cd827d4bd2dbfc3e67f" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56d82cd827d4bd2dbfc3e67f/1457007922490/?format=1000w" />
<p>If you want to keep up on the updates of Malware Reports, Training, our Cheat Sheets and other updates, add our site to your favorite RSS Reader.</p><ul dir="ltr"><li><a target="_blank" href="http://feeds.feedburner.com/MalwareArchaeology">http://feeds.feedburner.com/MalwareArchaeology</a></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/ZRrSep5zLSs" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/3/3/follow-our-updates-via-our-rss-feedMore Malware Analysis Reports addedHackerHurricaneFri, 12 Feb 2016 12:49:23 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/ow1b0mhYQYY/more-malware-analysis-reports-added552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:56bdd49fd51cd4f674de63c3<p>A couple more reports have been added to help you with Malware Management. &nbsp;Malware Management can help you understand and know WHERE to look and WHAT to look for when it comes to a possibly infected system. &nbsp;You can read about &nbsp;Malware Management here:</p><ul><li><a target="_blank" href="https://www.malwarearchaeology.com/mmf">The Malware Management Framework</a></li></ul><p>You can find the updated Malware Analysis reports here:</p><ul><li><a target="_blank" href="http://malwarearchaeology.com/analysis">Malware Analysis Reports</a></li></ul><p>Also updated was the "Windows Splunk Logging Cheat Sheet" to expand on the Windows commands abused by hackers. &nbsp;You can get the Cheat Sheets here:</p><ul><li><a href="https://www.malwarearchaeology.com/cheat-sheets">Windows Splunk Logging Cheat Sheet</a></li></ul><p>And you can read a blog entry about Windows commands abused by hackers over at <a target="_blank" href="http://HackerHurricane.com">HackerHurricane.com</a>:</p><ul><li><a target="_blank" href="http://hackerhurricane.blogspot.com/2016/02/japanese-national-cert-blog-on-windows.html">Windows commands abused by hackers</a></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/ow1b0mhYQYY" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2016/2/12/more-malware-analysis-reports-addedNew for 2016, 2 new Cheat Sheets and an updateHackerHurricaneTue, 29 Dec 2015 01:48:18 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/cAi-KLt5sQk/new-for-2016-2-new-cheat-sheets-and-an-update552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:5681ccbf05f8e23d7e8d65b5<p>Happy New Year everyone!</p><p>We have added two new cheat sheets and an update to the "<em><strong>Windows Logging Cheat Sheet</strong></em>" to kick off the new year!</p><p>Introducing:</p><ul><li>The "<a target="_blank" href="https://www.malwarearchaeology.com/cheat-sheets"><em><strong>Windows File Auditing Cheat Sheet</strong></em></a>"</li><li>The "<a target="_blank" href="https://www.malwarearchaeology.com/cheat-sheets"><em><strong>Windows Registry Auditing Cheat Sheet</strong></em></a>"</li></ul><p>To continue our efforts in providing the community with information that can help people improve their logging capabilities, thus improving their overall security posture, we have released these two new cheat sheets focused on getting people started with file and registry auditing.</p><p>Why do file and registry auditing?&nbsp; Because there are common locations you can audit that will catch the bulk of commodity malware and many advanced malware artifacts.&nbsp; By configuring strategic auditing on key file directories and autorun registry locations, you can catch file drops as they happen and registry keys used to launch the malware.</p><p>Take the Dec 2015 Dridex malware variant where the malware created a file and registry entry when the system shutdown or was rebooted.&nbsp; How would you detect this type of infection when the malware is only in memory while the system is running?&nbsp; File auditing on the %AppData% or AppData\Roaming directory would catch the malware being written back to disk and the launching command in the HKCU Run key on reboot or shutdown and again being deleted on startup.&nbsp; You do not have to audit the entire disk or registry to do effective auditing, just key places that are known to be used in commodity and more advanced malware.&nbsp; Practice <strong>Malware Management</strong> to improve and expand your auditing rules.</p><p>Read more on the Dec Dridex malware on Michael's HackerHurricane blog here:</p><ul><li><strong><a target="_blank" href="http://www.HackerHurricane.com">www.HackerHurricane.com</a></strong></li></ul><p>Read more on <strong>Malware Management</strong> here:</p><ul><li><strong><a target="_blank" href="https://www.malwarearchaeology.com/mmf">Malware Management</a></strong></li></ul><p>Auditing does not have to eat up your log management license because well tuned auditing adds very little to the logs.&nbsp; Event ID's 4663 (file) and 4657 (registry) are what will be added to the logs when auditing is used.&nbsp; Of course, tweak your auditing rules to only collect what you need and remove unnecessary locations.&nbsp; You should increase your local maximum Security log size to 1GB in order to collect enough events before the logs rotate, shooting for roughly 7 days of logs or more to be stored locally.</p><p>To refine your file and registry logging, use <strong>LOG-MD</strong> to evaluate what is being collected and tweak the auditing to reduce noisy folders, files and keys and collect only what is important to monitor security wise.&nbsp; <strong>LOG-MD</strong> may be fond here:</p><ul><li><a target="_blank" href="https://www.malwarearchaeology.com/log-md"><strong>LOG-MD</strong> - Log and Malicious Discovery tool</a></li></ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/cAi-KLt5sQk" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2015/12/28/new-for-2016-2-new-cheat-sheets-and-an-updateDNS Issues at our Registrar service provider solvedHackerHurricaneTue, 27 Oct 2015 14:22:32 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/uyP6X90rT2U/dns-issues-at-our-registrar-service-provider-solved552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:562f887fe4b03cab056cf283<p>The DNS issue should now be resolved.&nbsp; You may now get to Log-MD.com</p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/uyP6X90rT2U" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2015/10/27/dns-issues-at-our-registrar-service-provider-solvedDNS Issues at our Registrar service provider ;-/HackerHurricaneTue, 27 Oct 2015 11:54:56 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/GvwW1SqJmts/dns-issues-at-our-service-provider-552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:562f656ce4b0b4d4a4dfacdb<p>Technology has its bugs and we are no different.&nbsp; Our service provider is having DNS issues and Log-MD.com is not properly forwarding.&nbsp; We are aware of the issue and have opened up a Help request with them.&nbsp; Hopefully it will be resolved soon.</p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/GvwW1SqJmts" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2015/10/27/dns-issues-at-our-service-provider-Malware Discovery and Basic Malware Analysis TrainingHackerHurricaneFri, 04 Sep 2015 21:44:25 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/q-a68dMQ0q8/malware-discovery-and-basic-malware-analysis-training552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:55ea0eb3e4b044ff5785c2a7<p>Do you want to know how to find malware?&nbsp; Improve your malware hunting skills?&nbsp; Learn from those that have had to deal with the worst kind of malware?</p><h2>Austin, TX. Oct 5-6, 2015</h2><h3>Round Rock Wingate Conference Center (BSides Austin location)</h3><p>Malware Discovery is an essential skill for today’s InfoSec and IT professionals. Many malware courses start you off with an infected system and how to deep analyze or even reverse engineer the malware.</p><p>This course focuses on how to discover if a system has malware and then how to do basic malware analysis and build a simple lab to do testing in. The goal being speed so you can get back to other tasks.&nbsp; We will look at what tools you need, the techniques and steps to analyze malware so you can determine if a system is clean or truly infected.</p><p>This course is intended for everyday commodity malware that you might get in email or surfing, to advanced malware in a targeted attack. The focus will be on Windows systems; but will touch on some tools for Apple and Linux systems as well.</p><p><span><strong>Cost:&nbsp; </strong></span></p><ul><li><em><strong><span>$199 per person</span></strong></em></li><li><em><strong><span>$99 for ISSA, OWASP &amp; InfraGard members with discount code</span></strong></em></li></ul><h2><strong><span>Course Requirements:</span></strong><em><strong> </strong></em></h2><ul><li><p><span>Bare Bones system running Windows</span></p></li><li><p><span>Laptop running a Virtual Machine (VirtualBox, VMWare, Parallels, etc.)</span></p></li><li><p><span>Guest VM Running Windows7 or later</span></p></li><li><p><span>A list of tools will be provided on DVD day of the training or can be downloaded from Malware Archaeology the week of the training.</span></p></li><li><p><span>Malware samples will be provided</span></p></li><li><p><span>A Cloud Server for infecting is optional</span></p></li></ul><ul>
<li><a href="http://malwarearchaeology.eventbrite.com"><strong>REGISTER HERE</strong></a></li>
</ul><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/q-a68dMQ0q8" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2015/9/4/malware-discovery-and-basic-malware-analysis-trainingDetecting and Defending against PowerShell ShellsHackerHurricaneMon, 18 May 2015 04:25:41 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/VJb1g_WVaqo/58mtpqbdqo7kz8a9igxizv1p61591a552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:55596720e4b034259402564a<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596737e4b0607a0bb1abf3/1431923944059/" data-image-dimensions="500x202" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596737e4b0607a0bb1abf3" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596737e4b0607a0bb1abf3/1431923944059/?format=1000w" />
<p>So much of our industry focuses at Red Team P0wnage. &nbsp;I read a retweet by my Con 'son' @Ben0xA last week on PowerShell Shells by 'Lab of a Penetration Tester' Blog Nikhil Mittal @Nikhil_Mitt. &nbsp;Nikhil did a week of PowerShell Shells on his Blog found at:</p><ul><li><a target="_blank" href="http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html">Labofapenetrationtester - Week of PowerShell Shells</a></li></ul><p>Nikhil did a great five days of PowerShell Shell examples of different types. Here are the five PowerShell Shells Nikhil reported on:</p><ul><li>Day 1 - Interactive PowerShell shells over TCP</li><li>Day 2 - Interactive PowerShell shells over UDP&nbsp;</li><li>Day 3 - Interactive PowerShell shells over HTTP/HTTPS</li><li>Day 4 - Interactive PowerShell shells with WMI</li><li>Day 5 - Interactive PowerShell shells over ICMP and DNS</li></ul><p>This is a perfect exercise for Blue Teamer's as more and more malware is trying to use PowerShell and by default, Windows has terrible default logging to detect PowerShell use or misuse. &nbsp;PowerShell provides malwarians a way to persist their backdoors without having to leave a malware payload behind on disk that us defenders may be able to find. &nbsp;This method is also used by MetaSploit and the 'Social Engineering Toolkit' (SET) pen testing tools.</p><p>The post exploitation kit known as PowerShell is included in every newer version of Windows and being used more an more by administrators, InfoSec pros and yes, the malwarian Hackers since it is so powerful and already on the system reducing the need for malware files to remain behind and potentially get detected.</p><p>The week of PowerShell Shells is interesting in that you can try the Shells in the five posts Nikhil created as he provided great examples and sample code and scripts. &nbsp;This is kewl in that you can try them and for those of us on the Blue Team side, figure out what we would do to detect this type of attack. &nbsp;If you are like me, you use these types of Red Team Hackery posts to test, validate and improve your defenses.</p><p>So what can we do to defend against PowerShell P0wnage? &nbsp;A lot actually, but you do have some configuration to do which I have already discussed in a previous post, but let's take a direct look at one of the the PowerShell Shells.</p><p>Here is a screen shot of the TCP PowerShell Shell I ran for the test.</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596eb4e4b0f7284bff1ce9/1431924413989/" data-image-dimensions="758x265" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596eb4e4b0f7284bff1ce9" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596eb4e4b0f7284bff1ce9/1431924413989/?format=1000w" />
<p id="yui_3_17_2_2_1431923754757_92456">As you can see the connection was successful.</p><p id="yui_3_17_2_2_1431923754757_92252">So what can we detect for this type of attack ?</p><p>First off, we need to make sure your system is ready to capture the behavior so be sure you have the following items configured:</p><ol><li>Advanced Auditing enabled (Win 7 and Win 2008 and later)</li><li>Command Line logging registry hack applied</li><li>Process Create - Success</li><li>PowerShell default profile enable enabling command line logging</li></ol><p>You can see how to enable and configure your logs to detect these types of attacks with my info:</p><ul><li><a target="_blank" data-cke-saved-href="http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html" href="http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html">PowerShell Logging</a>&nbsp;- Post</li><li><a target="_blank" data-cke-saved-href="http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist?qid=b7c72b3c-e299-4339-8d98-d6d1d96ddd37&amp;v=qf1&amp;b=&amp;from_search=1" href="http://www.slideshare.net/Hackerhurricane/ask-aalware-archaeologist?qid=b7c72b3c-e299-4339-8d98-d6d1d96ddd37&amp;v=qf1&amp;b=&amp;from_search=1">Command Line Logging - Ask a Malware Archaeologist</a>&nbsp;- Presentation</li><li><a target="_blank" data-cke-saved-href="https://malwarearchaeology.squarespace.com/s/Windows-Logging-Cheat-Sheet.pdf" href="https://malwarearchaeology.squarespace.com/s/Windows-Logging-Cheat-Sheet.pdf">Enable and Configure your logs - The Windows Logging Cheat Sheet</a></li></ul><p>Just an example, here is what a netcat shell listening looks like in the logs to get us started. &nbsp;EventID 4688 picks this up easily with the command line logging tweak!</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e8ee4b0f7284bff1c73/1431924366637/" data-image-dimensions="439x293" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596e8ee4b0f7284bff1c73" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e8ee4b0f7284bff1c73/1431924366637/?format=1000w" />
<p id="yui_3_17_2_2_1431923754757_90767">Now let's take a look at what you can detect when a PowerShell Shell is executed. &nbsp;There are two ways to execute PowerShell scripts, inside a PowerShell Shell and via a Command Shell. &nbsp;It was not clear how this was done in Nikhil's posts so let's take a look at launching both methods and how to detect this behavior. &nbsp;Also, it was not clear what the PowerShell ExecutionPolicy was set to on the system, so lets assume it is set to restricted (default) and the hacker would have to bypass this restriction. &nbsp;But here is what a failed execution looks like in the logs due to the ExecutionPolicy being set to 'Restricted'.</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596dc8e4b02d567e74dd7b/1431924176379/" data-image-dimensions="1169x163" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596dc8e4b02d567e74dd7b" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596dc8e4b02d567e74dd7b/1431924176379/?format=1000w" />
<p>If a hacker wants to execute PowerShell scripts and bypass any restrictions, they will need to state a bypass on the command line when launching PowerShell. &nbsp;The&nbsp;<strong><em>EventID 4688</em></strong>&nbsp;will detect this behavior and if you have command line logging enabled, catch this condition every time. &nbsp;This should be a key alert that you setup as this is a clear indication someone is trying to hack you!</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e1be4b0f7284bff1ae2/1431924255054/" data-image-dimensions="592x294" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596e1be4b0f7284bff1ae2" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e1be4b0f7284bff1ae2/1431924255054/?format=1000w" />
<p id="yui_3_17_2_2_1431923754757_83686">If the entire command was executed at the command line it would look like this in the&nbsp;<strong><em>EventID 4688</em></strong>&nbsp;log entry. &nbsp;BAM! &nbsp;Got you sucka!</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e05e4b0f7284bff1a95/1431924231966/" data-image-dimensions="883x227" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596e05e4b0f7284bff1a95" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e05e4b0f7284bff1a95/1431924231966/?format=1000w" />
<p>Monitoring for an ExecutionPolicy bypass and/or NoProfile bypass would catch someone trying to p0wn you instantly. &nbsp;I recommend you monitor and alert for this as a critical Top 10 that you monitor and alert on!</p><p>Let's assume we ignore any EventID 4688 events and want to detect this using PowerShell logging. &nbsp;There are two ways to do this, the first being easier to integrate into a central Log Managment solution by properly configuring the PowerShell logs to capture command line activity. &nbsp;The other is to use the PowerShell Transcript logs which can be configured to capture everything executed when a PowerShell Shell is invoked. &nbsp;PowerShell Transcripts are a text file usually found under the users AppData directory structure.</p><p>Let's look at&nbsp;<strong><em>EventID 500 or 501</em></strong>&nbsp;of the 'Windows PowerShell' Log to see what the PowerShell Shell execution looks like.</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e3be4b0f7284bff1b5f/1431924284253/" data-image-dimensions="522x286" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596e3be4b0f7284bff1b5f" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e3be4b0f7284bff1b5f/1431924284253/?format=1000w" />
<p>As you can see we are able to catch the hackery with either a Security Log EventID 4688 or with a Windows PowerShell Log EventID 500 or 501.</p><p>Here are the details executing in the PowerShell script Nikhil provides.</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e59e4b0f7284bff1bab/1431924314418/" data-image-dimensions="1190x386" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596e59e4b0f7284bff1bab" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e59e4b0f7284bff1bab/1431924314418/?format=1000w" />
<p>You can easily see the IP and Port used, streaming information, path, byte info and encoding. &nbsp;Clearly communication is taking place that shows up in the Logs if properly configured.</p><p>The second method is the PowerShell Transcript log that you can invoke in the default profile so started each time PowerShell is invoke, to either overwrite or append. &nbsp;This is what the PowerShell Shell execution looks like when I was testing.</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e6be4b0f7284bff1bea/1431924332626/" data-image-dimensions="1019x319" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="55596e6be4b0f7284bff1bea" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55596e6be4b0f7284bff1bea/1431924332626/?format=1000w" />
<p id="yui_3_17_2_2_1431923754757_88816">As you can see as kewl as the file-less PowerShell Shell hacking may be, it is clearly detectable and you MUST look for this behavior in your logs as it is getting used much more in malware I am seeing today. &nbsp;Within the last month I&nbsp;dissected&nbsp;a malware sample I received that was a Microsoft Word document that executed a VB script launching a command shell, calling CScript script which then launch a PowerShell Shell backdoor.<br>Being a Blue Team Defender I REALLY wish the Red Team Breakers and Hackers would include the Blue Team 'How To Defend' against the breaking and hackery they discuss... &nbsp;Instead, us Blue Teamers must digest these types of posts and create a counter-point post on how to defend against these attacks. &nbsp;</p><p>Happy Hunting!</p><p>#InfoSec #PowerShell #Defend</p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/VJb1g_WVaqo" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2015/5/17/58mtpqbdqo7kz8a9igxizv1p61591aProtecting Card Key Systems on your networkHackerHurricaneThu, 14 May 2015 22:37:24 +0000http://feedproxy.google.com/~r/MalwareArchaeology/~3/j3A_WlgVE3E/protecting-card-key-systems-on-your-network552092d5e4b0661088167e5c:5520a51fe4b0562b85237540:5555de7be4b0342593f69322<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5555de7be4b0342593f69323/1431692167212/iphone-20150514173724-0.jpg" data-image-dimensions="200x219" data-image-focal-point="0.5,0.5" alt="iphone-20150514173724-0.jpg" data-load="false" data-image-id="5555de7be4b0342593f69323" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5555de7be4b0342593f69323/1431692167212/iphone-20150514173724-0.jpg?format=1000w" />
<p>I was in the airport awaiting a flight this week and someone who saw my presentation on a Card Key system hack from a year or two ago stopped to ask if I had created a White Paper to help in securing the systems from P0wnage like I demonstrated with a major vendor.&nbsp;</p><ul dir="ltr"><li><a target="_blank" href="https://youtu.be/gBDVkY9KgtM"><strong>Video of the Card Key exploiting a pair of gates</strong></a></li><li><a target="_blank" href="http://securityweekly.com/2014/09/16/join-us-for-episode-388-with-michael-gough-from-hacker-hurricane/"><strong>Paul's Security Weekly Podcast Episode 388</strong></a></li><li><strong><a target="_blank" href="http://hackerhurricane.blogspot.com/2011/03/w-my-security-research-discovers-major.html">Original Blog post on the exploit</a></strong></li></ul><p>I told him check out my Blog (This post specifically) and that I would write up something to the vulnerability that is easily exploited on many, if not most Card Key systems using Lantronics Ethernet adapters.&nbsp; So here it is, what you need to know to asses and how to protect your existing Card Key systems back end controllers.</p><p>First off, newer designed Card Key systems are moving away from the Lantronics daughter board concept by building Ethernet adapters right onto the controller board.&nbsp; This should fix many of the flaws we found, and give the vendors more control over what they can code into their solution, but does not mean that a clear text Auth flaw in a new design will not exist, let's hope encryption is on by default in any new designs.&nbsp; Hint: if you are evaluating Card Key systems, make encryption on by default a must have and No Go decision point.&nbsp; Evaluating the newer designs is a job for another security researcher, or when I come across one I have to assess, or that is given to me ;-)</p><h2>Internet based Card Key systems</h2><p>For Internet based Card Key systems (like Brivo) where you login to a web portal to grant or revoke access, username and passwords are all you have to protect against break in from anyone on the Internet, which is the world.&nbsp; So you better use a very long password and cryptic username that is not like anything else you use on your corporate network.</p><h2>A few of the flaws of network accessible Card Key systems</h2><p>One flaw with network based Card Key systems is the ability to open all doors in a maintenance mode.&nbsp; Yes, all your front, side and back doors, not to mention sensitive or secret locations.&nbsp; So your access control by user and function is worthless to the flaw we found and why better protection of the Card Key master controller(s) is required.</p><p>Another flaw with Card Key systems you might have is logging is non-existent.&nbsp; I can brute force the system and you would have no idea that I was doing it, they do not have any usable logging or lockout capability after 5,10 or 10,000 attempts.&nbsp; Keep in mind these systems were designed before needing network access and the Lantronics daughter board modification.&nbsp; Adding the Serial to Ethernet board opened up a whole new use of remote administration without any re-design of the solution.&nbsp; The Internet is littered with these controllers for remote administration by a management or security company.</p><p>A third flaw is that these systems only had unencrypted communication.&nbsp; On the re-designed systems we were provided the encryption was off by default and thus only an option, not to mention off by default for 15 seconds if you could power cycle a system, which is not hard as these often have no battery backups.&nbsp; When I asked a Card Key system security implement or why they did not set the encryption option, a simple password or phrase to generate a unique key... His answer "Because no one would remember or know how to find the password"... Grrrrreat!</p>
<img class="thumb-image" data-image="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5555e35de4b0741e9be05c36/1431692143711/" data-image-dimensions="200x200" data-image-focal-point="0.5,0.5" alt="" data-load="false" data-image-id="5555e35de4b0741e9be05c36" data-type="image" src="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5555e35de4b0741e9be05c36/1431692143711/?format=1000w" />
<h2><strong>Secure Option 1 - Network Isolation</strong></h2><p>Isolating the Card Key system and all the PC's that would access it is an option, but not overly practical for anyone but large organizations with dedicated IT network staff.&nbsp; But here is what to do if this is a viable option for your organization.</p><p><strong>Step One</strong>&nbsp;- Assess the signature of your Card Key System(s) NMap or any other port mapping utility is your friend here.&nbsp; Throw scans at all of your Card Key systems and understand the ports they are using.&nbsp; Ports 80, 443, 9999, 100001, etc.&nbsp; These are the ports used by the Windows fat client application to communicate with your Card Key interface.&nbsp; Lantronics systems have an obvious signature once you discover them, record what you have for future reference.</p><p><strong>Step Two</strong>&nbsp;- Who needs access to add users and from where?</p><p>If you have any chance to limit access to the Card Key system over the network, you will need to know what users, specifically their systems IP address, which will need to be a static IP in order to build ACL rules to limit what systems might be able to try and gain access to administer the Card Key system.&nbsp; If you can manage to limit who's computer needs to access your Card Key systems and in what locations, you might have a chance to build some network ACL's to restrict the Card Key system IP's to just those IP's of the workstations with the fat client.&nbsp; This is how you would secure the Card Key systems from a network access control perspective.&nbsp; Though if a malwarian pops one of these approved systems and finds the software... Game over.</p><p>Keep in mind if I can find your Card Key system on your network, it IS game over or more appropriately Doors Open, and all of them, not just one.</p><h2><strong>Secure Option 2</strong><strong><span>&nbsp;- Consider a replacement or upgrade&nbsp;</span></strong></h2><p><span>Once we reported the flaw to the vendor we tested they graciously provided an updated system after they addressed a couple of the issues they were able to, but Lantronics did not change a thing.&nbsp; This means the best way to improve this vulnerability is replace all your Card Key systems.&nbsp; I know this is a bad option since roughly 10,000+ Lantronics controllers are shipped each month... Yup....&nbsp; Major bummer for users of this legacy design.</span></p><h2><strong>Secure Option 3 - Isolate the Card Key system to a single PC ( My highest recommendation)&nbsp;</strong></h2><p>Ironically the reason that the Lantronics Serial to Ethernet daughter board was created was to move away from the limitation of one PC serially connected to the Card Key device so any user on the network could manage user access in any location or worse... Over the Internet in the clear.. Yup, you heard me... Clear text auth!</p><p>This option would still allow you some flexibility in that you could locate the dedicated PC in any server room or closet with your other phone gear and use patch cables to connect directly to the PC via a hub or cross over cable.&nbsp; Using a 2nd Network card you could then connect the PC to the open network.&nbsp; If I were to scan your network for the Lantronics signature, I would not find any, just the Windows PC it was connected to and no way to know if it had a Card Key system attached.&nbsp; This security option allows you to remote into the PC using basic Windows remote utilities, RDP, VNC, or whatever you fancy for remote control and from anywhere on the network and yes, if you use a secure remote control option, even over the Internet.</p><p>So there you have it, the basic ways to secure the Card Key systems controlling your door access.&nbsp; Check out what JGor (@Indiecom) has done with some nifty Card cloning P0wnage. &nbsp;You might want to understand how this works as well, but is a different problem and affects a specific users card and the access of that card, unlike opening all the doors of a building.</p><p>Happy Hunting!</p><p>#InfoSec #CardKey&nbsp;</p><img src="http://feeds.feedburner.com/~r/MalwareArchaeology/~4/j3A_WlgVE3E" height="1" width="1" alt=""/>https://www.malwarearchaeology.com/home/2015/5/14/protecting-card-key-systems-on-your-network